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Abstract 



In this paper, we give two algorithms to compute preimages of curves un- 
der polynomial endomorphisms. In particular, this gives an efficient way of 
computing preimages of points. Furthermore, we explain the abstract setting 
^ ' under which one can iteratively compute the inverse of a polynomial auto- 

OC . morphism. 

OO 

(N 

O 

i^ '. 1 Notations 

o. 

Q ■ Let Rhe a commutative ring with one. 

We write MA„(i?) as the set of polynomial maps R^ — > R^. GA.„(i?) is the 
subset of MA„(i?) of invertible polynomial maps. 
X ; Define A := i?M := R[Xi, . . . , X„]. Write / for the identity map on R^. We will 

c^ ; use the notation k for any field. 

2 Introduction and motivation 

If -F G GKn{k) then there are several algorithms to compute the inverse. Essen's 
algorithm (see [1]) uses Groebner bases to directly compute the inverse. This al- 
gorithm is in general not very efficient unless in low dimensions and also F of low 
degree. In dimension n = 2 there exist several other algorithms [Il[3], which are ac- 
tual algorithms that decide in finite time if the map is invertible. These algorithms 
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are due to the fact that in dimension n = 2 the automorphism group is understood 
by the Jung- van der Kulk-theorem, and are rather efficient. 

An ad-hoc way of computing the inverse of a map is computing its formal power 
series inverse step-by step. For this, bring your map on the form F = I + H where 
H has no hnear or affine part. Any such endomorphism has an inverse G in the 
formal power series ring A;[[Xi, . . . ,Xn]] of the form G = I — K where K has no 
linear or affine part. What one can do is start computing the coefficients of G 
from the lowest degree and up: if the coefficients of G are known up to degree d, 
then the coefficients of degree d + 1 can be computed since F{G) is the identity 
up to degree d, and the part of degree d + 1 fixes the coefficients of G of degree 
d + 1. In case F is invertible, this procedure at some degree yields the polynomial 
inverse (the computation may continue but will only yield zero coefficients from 
that degree on). The efficiency of this approach is sometimes better, sometimes 
worse as the Essen-algorithm (depending on implementation, size and degree of the 
automorphism, etc.). 

Another way of computing the inverse of a map is decomposing the map in 
simpler invertible maps. So far the only case where this works is in dimension 
two over a field, though the non-field case saw some progress through the recent 
work of Umirbaev-Shestakov [101 HI]- (This work provides an algorithm to check if 
F e TA2(C[Z]), and gives a decomposition in this case.) 

The obstructions in the above algorithms are obvious. There is one that we 
would like to mention, which is that the inverse of F G GA„(A;) may have much 
larger degree than F and may contain a huge number of nonzero coefficients. If 
deg(F) = d, then deg(F~^) < (i"~^ and this bound can be attained easily (possibly 
the bound is attained by a generic automorphism, even). This means that an in- 
verse might not fit in any computer in explicit form, and one would actually require 
a decomposition into simpler automorphisms. 

Our results: 

In this paper we address some of the above issues, mainly by focusing on comput- 
ing preimages of points, in stead of computing the inverse directly. First, a variation 
on the above power-series computation of the inverse is done in section [31 In sec- 
tion m we show how this viewpoint can be used to efficiently compute preimages of 
polynomial automorphism or even endomorphisms, without actually computing the 
inverse. We give two algorithms to do this: First, the already known algorithm of 
van den Essen, which uses Groebner bases, can be used. Its efficiency may still be an 
issue, as it comes down to solving a system of n equations in n variables. The second 
method, which is a specialisation of the before-mentioned iterative computation of 
the inverse, seems to be rather efficient. This algorithm computes a parametrized 
preimage curve (if it exists) to a given paramtetrized curve g, i.e. if g{t) : k — > /c" 
is given, the algorithm computes f{t) such that F{f{t)) = g{t). The advantage of 
the Groebner bases algorithm is that the latter gives a criterion to decide if there is 



no preimage curve. 

We point out how this might affect cryptographic systems hlce the TTM method 
(positively or negatively). 

3 Iterative computation of the inverse 

Examples and background 

Suppose that F = I - H e MA„(i?) where H e (aA)^" C MA„(i?) where a is an 
ideal of A. The following is well-known: 

Proposition 3.1. Let a be an ideal of A such that flo" = 0. Let F = I — H where 
H G aA^"- . Then F has an inverse in the a-adic completion of A. 

The above proposition is often applied for the case that A = k[Xi, . . . , X„] and 
a = (Xi, . . . ,Xn)A, and = I — H where H G o^A^". For completeness sake, we 
indicate how this a-adic inverse is computed and how it can yield the inverse if it 
exists. If / + i^ is the inverse, then it is clear that K G a^A^^. Now inductively, if 
the coefficients of K up to and includig degree d are known, giving a map Kd which 
matches K up to and including degree d, then {I—H){I+K) mod a'^^^ = /. Putting 
the coefficients of K of degree d + 1 as variables, and computing (/ + H) (/ + K) 
modulo a'^^'^, yields a system of linear equations in R that is always solvable. In 
particular, ii I + H has a polynomial inverse, then at some point in this process one 
will have the inverse. 

The interesting thing is that one can also apply such a technique for other ideals 
a G A; for example, ii H = (2X2 -|- X|,0), R = Z, then one can compute the 
inverse in the (2,Xi,X2)-adic completion, which in this case again describes the 
actual inverse oi I — H. However, things get tricky - what are the requirements on 
H to make this work? If an inverse exists, can one just approximate it or actually 
give an inverse? For example, ii R = C[[t]], F = Xi —tXi and one starts to compute 
coefficients of an inverse in the t-adic completion, then there will be no point in the 
computation where the coefficient will be known (the coefficient is (1 — t)^^ while 
after m steps one has 1 + t + t^ + . . . + t™"). 

In this section, we describe a slightly different method to iteratively compute 
the power series inverse, that is at first not necessarily more efficient, but has some 
conceptual value that we will see later on. Next to that, we will give the abstract 
setting in which this (and the power-series method) works for other cases than the 
ideal (Xi, . . . , X„). The very rough, unpolished, basic algorithm (which never stops 
in this form) is the following: 

Algorithm 1: Suppose I — H E MA„(i?) is given. 

(1) Let (i = and choose Kq G MA„(i?) arbitrary (standard choice is Kq = 0). 

(2) Define ird+i:=/J(/ + ir,). 



(3) Increase d, goto (2). 

We will discuss later under what condition this algorithm makes sense and works 
- the idea is that Kd converges to K such that I+K is the inverse. A working example 
for later reference: 

Example 3.2. Define A := (Xi, . . . ,X„)*+^y4 and assume H e Ai. Let I + K 
be the formal power series inverse oi I — H. Choose Kq = and define Ki as 
above. Then K mod A^ = Ki mod Ai. In particular, ii I — H is indeed invertible, 
then Ki mod Ai "equals" K, where this "equals" means that taking the element in 
MAn{R) which has the same coefficients as Ki up to degree i, and zeros from degree 
i + 1 on, then this is equal to K. 

When does iteration leads to an inverse in finitely many 
steps? 

This section is more abstract than section H] and beyond - the reader interested in 
the more applicable aspects of this paper can forward to section HI Also, it may 
be helpful to keep the (most important) example 13.21 where a = {Xi, . . . ,Xn)A, 
Aq = aA, Ai = a^A, A^ = a^A, ... in mind when reading the below definitions: 

Suppose A D y4o ^ Ai D . . . is a descending chain of ideals such that f] Aj = (0). 
We denote the projections vr^ : A — > A/A^ as well as vr^"'''^ : A/Ad+e — > A/A^. We 
assume that for each d we have a section s^ : A/A^ — > A, i.e. TTdSdia) = a for all 
a G A/ Ad. 



Definition 3.3. We call A D Aq ^ . . . a composition-filtration if for any H G 
iA^r,G,Ge (AoT we have: MG) = 7r,(G) — > 7rrf+i(^(G)) = 7r,+i(i7(G')). 
We say that the Sd form a converging system of section^ if for all a G A there exists 
D G N such that ii d > D, then SdT^diO') = ci- 

Let us explain how the above definition appears in example 13. 2[ Here, Ai := 
{Xi, . . . ,Xny~^^A. This indeed is a composition-filtration as can be easily verified 
(substituting something having no terms below degree d > into something having 
no terms below degree 2 yields something having only terms of degree 2d or higher). 
The sections Sd here are the obvious canonical bijective map sending A/ Ad to the 
elements in A of degree < d. Indeed, given a & A, then one can take D := dega, 
showing that this set of sections is a converging system of sections. 

We define the following abbreviation of assumptions: 



^The authors did not find any already existing term in the hterature. 



(P) stands for the following list of assumptions: Aq ^ Ai ^ . . . is a composition- 
filtration, and we have a returning system of sections Si : Ai — )■ A. Let F = I ~ H 
and F^^ = I + K. Assume H G (^i)", / G (^o)" the identity map. 

The iterative inverse algorithm 

Definition 3.4. Define (^ : MA„(/2) — > MA„(i?) by i^{K) := H{I + K). 

Lemma 3.5. Assume (P). Let K e (Aq)" C MA„(i?). If HdK = naK , then 

Proof. Because we have a composition-filtration, TTd{I + K) = iTd{I + K) implies 
nd+i{H{I + K)) = 7id+i{H{I + K)). We claim that the latter equals 77^4.1(7^): since 
I = {I - H){I + K) = I + K - H{I + K) we have H{I + K) = K. D 

Corollary 3.6. Assuming (P), the chain = Kq, Kd+i '■= Sd+iT^d+i^Kd stabilises. 

Proof. First we give a proof by induction on d to show that T^dKd = T^dK-i*) This 
statement is obviously true for d = 0. Assuming iidKd = TfdK, we get by lemma 
[33] that TCd+iK = TTd+iipKd. Since TTd+iSd+iTTd+i = T^d+i for every d, iTd+iK = 
-Kd+iipKd = rCd+iSd+iT^d+i'^Kd = TTd+iKd+i (end induction). 

Now SdT^dKd = Sd'HdSdT^d'^Kd-i and since tt^s^ is the identity this equals SdT^dV^d-i 
Kd, thus SdT^dKd = Kd (**)• Since we have a returning system of sections, we have 
some D en such that i{d>D then Sdi^dK = K (***). Thus, 

r^ (**) T^ (*) T^ (***) T^ 

Kd = SdTCdKd = SdTTdK = K 
whenever d > D (only to ensure (***)). D 

The above corollary thus gives an algorithm, which we now denote separately: 

Algorithm 2: Assume (P). Input H G Ai. 

(1) Let rf = and Kq = E A". 

(2) Define Kd+i := Sd+nid+iH{I + Kd). 

(3) If Kd = Kd+i, and Kd-i 7^ Kd, then check if H{I + Kd) = Kd. If YES then 
STOP; output / + Kd. 

(4) Increase d, goto (2). 



More examples 

Example 3.7. A := Z[Xi, . . . ,X„], and Ai := 2M. Let F = {x + 2y + Ax'^,y + 
2x'^) and thus H = {2y + 4a;^,2x^) in (^i)^- One can check that this is indeed a 
composition-filtration. The sections Sd '■ A/ Ad — > A must be chosen a bit carefully: 
we know that the inverse of F will have coefficients that are "not far from zero" , 



i.e. there is a bound D for which the coefficients must be in the interval [—D,D]. 
Therefore, we take the section map s that sends elements of Z/(2'^Z) into the interval 
[— 2^^^^, 2^^^^ — 1], which is indeed a returning section. If one chooses the interval 
[0, 2^^ — 1] as is custom, it is not a returning section. 

Now the iteration process yields Kq := (0,0), Ki = Kq,K2 = {—2y,2x'^),K^ = 
K2. The algorithm in step 3 now checks if I+K3 is the inverse of I—H, but it is not, so 
we continue. K^ := {-2y, -2x'^-8xy-8y^), K5 := {-2y, -2x'^ +8xy -8y'^) , Kq = K5 
and I + K^ turns out to be the inverse. 

Example 3.8. Let F G GAn{k) be such that the linear part of F is /. For example, 

let F = {X + Y^ + 2X^Y + X\Y + X^). Let H := F - L We define Ad := 
{X,YY+^k[X,Y] C k[X,Y]. Now Kq := (0,0) = Ki = K2, K^ = {Y^,X^),Ki = 
(F^ X2 - 2XY'^), K5 = (Y^, X^ - 2XY^ + Y^) and since Kq = K5 it is time to check 
if this might be the inverse (otherwise one has to continue). Indeed, (/ — Kr^)F = J. 

In the case that A = R^"''^ where i? is a reduced fc-algebra, and 
Ad = {Xi, . . . , XnY~^^A, the algorithm is effective in deciding if a map is invertible. 
This is due to the theorem that deg(-F~^) < deg(F)'^~^ if i? is a reduced ring 
(corollary 2.3.4 in [5]). 

4 Injective morphisms 

Iterative preimage algorithm 

In this section, we will assume that F : i?" — > i?" is a polynomial endomorphism of 
the form F = I—H where H has affine part zero. Suppose g{t) := (giit), . . . , gn{t)) G 
(i?[t])" is a nonzero curve satisfying 5^(0) = 0, and f{t) := F{g{t)), which hence is a 
curve contained in the image of F. (Note that /(O) = F{g{0)) = -F(O) = 0.) Since 
F is of the described form, its extension F : -R[[t]]" — > -^[M]" is an automorphism. 
Hence, there is at most one parametrized curve g(t) satisfying ^(0) = such that 
F{g(t)) = fit). (Note: being the image of such a parametrized curve may be 
something stronger as being a curve which is contained in the image of F\) We will 
describe a method to compute the curve g(t) := (giit), . . . ,gn(t)) given /(t) and F. 

Remark 4.1. Given F = I — H where the affine part of H is zero, and f{t) G i?[t]'^ 
such that /(O) = 0. Then there exists at most one g{t) G R[t]"' satisfying ^(0) = 
such that F{g) = f. 

Proof. Since F is of the form I — H where H has affine part zero, it has a power 
series inverse G. If / G R[[t]] such that /(O) = 0, then g := G{f) is a well-defined 
element of -R[[t]]. Since in this case, g = G{f) = G{F{g)) = g, g is unique. In case 
g G -R[t]", there is one solution, if ^ G -R[[t]]"\-R[t]" there is none. D 

Algorithm 3: F, f as above. 
(1) Let rf = 1 and i^i = G /2". 



(2) Define K^+i := H{f + K^) mod (t'^+i) 

(3) If Kd = Kd+i, and K^-i ^ Kd, tlien clieck if H{f + Ka) = Ka. If YES then 
STOP; output / + Kd. 

(4) Increase d, goto (2). 

Proposition 4.2. /// G R[t]"-' satisfying /(O) = and there is some g G -R[t]"', g{0) = 
such that F{g) = f , then the above process terminates, and the output equals g. 
Furthermore, g is unique. 

Proof. Uniqueness follows from remark \4A] We will prove that Kd = g — f mod f^. 
The case d = 1 is trivial. Assume Kd = g — f mod f^. Then Kd+i = H{f + Kd). 
Now remark that since H has affine part zero, then for any p,q & R[t] satisfying 
P(0) = 9(0) = 0; we have p = q mod f^ =^ H{p) = H{q) mod f^"*"^. Note that / + 
Kd = gTiiodt'^,\ienceH{f + Kd) = H (g) mod t'^+\ Since / = F(c/) = {I-H){g) = 
g - H{g), we have H{g) = g-f. Concluding, Kd+i = H{f + Kd) = g - f mod f^-^K 
The proposition now follows. D 

In case F is an automorphism, there is obviously no need to require that / = F{g) 
for some g; one only needs to assume that /(O) = 0, for then g := F~^{f) satisfies 
^(0) = 0. 

Remark 4.3. If F is an automorphism, then a preimage of c G i?" can be computed 
by computing the preimage curve g(t) of at := (cit, . . . ,Cnt), and then g{l) is the 
preimage of c (since F{g(t)) = at). (One could take any curve / through c satisfying 
/(O) = 0, though.) Our experiments have shown this setting to be quite efficient. 

Groebner bases preimage algorithm 

In this section we give another method to compute preimages of points and curves 
under polynomial automorphisms. We stick to the case where R = k, a. field. 

In [5] theorem 3.2.1/3.2.3 (page 64) an algorithm is given to compute the inverse 
(and effectively decide if an endomorphism is an automorphism). We will quote the 
case we will need here: 

Theorem 4.4 (van den Essen). Let F G {k[Xi, . . . , X„])" be a polynomial endomor- 
phism. Let I = (Yi — Fi, . . . ,Yn — Fn) be an ideal in k[Xi, . . . , X„, Fi, . . . , K„] . Let 
B be the reduced groebner basis of I with respect to an ordering where Y"' < Xj 
for each a G N", 1 < i < n. F is invertible if and only if B is of the form 
[Xi — Gi(F), . . . , Xn — Gniy)), and in that case G := (Gi, . . . , On) is the inverse 
ofF. 

The following is straightforward: 



Corollary 4.5. Let F G {k[Xi, . . . ,X„])" be a polynomial endomorphism. Let I = 
{ci — Fi, . . . ,Cn — Fn) where Ci E k be an ideal in k[Xi, . . . ,X„]. Let B be the reduced 
groebner basis of L Then 

(1) B = (Xi — 61, . . . , Xn — bn) if and only if F{Xi, . . . , X„) = c has only one solution 

(2) If B is not of the form in (1) then F is not an automorphism. 

We will give a modified version of the above theorem of van den Essen to find 
preimages of curves. 

Definition 4.6. Let F = I — H E k[Xi, . . . ,XJ" where H has afiine part zero, 
and f,g E k[t]'"' such that /(O) = g{0) = 0. Then we define the following ideals in 

CM[Xi,...,X„]: (F-/):=(Fi-/i,...,F„-^)and(X-(?):=(Xi-^i,...,X„- 

9n)- 

The only reason we assume that F is of the described form I — H is because we 
can then use remark 14.11 

Tlieorem 4.7. Let F E {k[Xi, . . . ,Xn\)^ be a polynomial endomorphism, and let 
f{t) be a curve. Let B be the reduced groebner basis of {F — f) with respect to an 
ordering where f" < Xj for each mE'R,l<i<n. Now 

(1) B = (Xi - 5fi, . . . , X„ - 5f„) if and only if {F - f) = {X - g). In paHicular, if 
F is an automorphism, then B is of the said form. 

(2) If F{g) = f , then B <Z (^X — g). Hence, a curve g such that F{g) = f can, if it 
exists, be found by finding an ideal (X — g) ^ B. 

Note that in part (2), finding such a g may have become much easier because of 
the simpler form of B compared to {F — f). 

Theorem 14.71 is based on the following lemma: 

Lemma 4.8. (1) {F - f) <Z (X - g) ^ F{g) = f. 

(2) In case F E GAn{k), then we have {F-f) C (X-^) ^^ (F-f) = (X-g) ^^ 

F{9) = /■ 

Proof {F-f)C{X-g)^^{F-f)=0 mod {X - g) ^^ F,(X) - f, = 

mod (X - g) for all 1 < i < n <^^ Fi{g) - /^ = for all 1 < i < n ^^ F{g) = f, 

proving (1). 

If F is invertible, then let G be the inverse of F. By (1), {F — f) C (X — g) <^==^ 

F{g) = /, but also G{f) = g hence (G - ^) C (X - /). Substituting X := F in the 

latter yields {X — g) C [F — f), proving (2). D 

Proof of theorem \4.7\ (1) Suppose (F — /) = (X—g). Then, since {Xi—gi, . . . ,X„ — 
gn) = {X — g) is a reduced basis of (F — /), this must be the result of the algorithm. 
The other way around, if i? = (Xi — gi, . . . , X„ — (?„), then of course (F — /) = 
(Xi — (?!,... , X„ — gn) = {X — g) since it's the same ideal, only a different basis. 
(2) is just a reformulation of lemma 14^8) part (1). D 

Maple files of algoritiims: If you are interested in maple files using the iterative 
preimage algorithm, contact the authors. 

8 



References 

[1] K. Adjamagbo, A. van den Essen, A new inversion formula for a polynomial 
map in two variables. J. Pure Appl. Algebra 76 (1991), no. 2, 119-120. 

[2] L. Goubin, N. Courtois, Cryptanalysis of the TTM cryptosystem. Advances in 
cryptology— ASIACRYPT 2000 (Kyoto), 44-57, Lecture Notes in Comput. Sci., 
1976, Springer, Berlin, 2000. 

[3] M. Dickerson, The inverse of an automorphism in polynomial time. J. Symbolic 
Comput. 13 (1992), no. 2, 209-220. 

[4] A. van den Essen, A criterion to decide if a polynomial map is invertible and 
to compute the inverse. Comm. Algebra 18 (1990), no. 10, 3183-3186. 

[5] A. van den Essen, Polynomial Automorphisms and the Jacobian Conjecture. 
volume 190 of in Progress in Mahtematics, Birkhauser (2000) 

[6] J. Ding, T. Hodges, Cryptanalysis of an implementation scheme of the tamed 
transformation method cryptosystem. J. Algebra Appl. 3 (2004), no. 3, 273-282. 
94A60 (11T71 14G50 68P25) 

[7] T. Moll, A public key system with signature and master key functions. Comm. 
Algebra 27 (1999), no. 5, 2207-2222. 

[8] T. Moll, An application of algebraic geometry to encryption: tame transforma- 
tion method. Proceedings of the International Conference on Algebraic Geom- 
etry and Singularities (Spanish) (Sevilla, 2001). Rev. Mat. Iberoamericana 19 
(2003), no. 2, 667-685. 

[9] T. Moh, On the signature scheme TTMs. Affine algebraic geometry, 379-401, 
Osaka Univ. Press, Osaka, 2007. 

[10] I. Shestakov, U. Umirbaev, The tame and the wild automorphisms of polynomial 
rings in three variables. J. Amer. Math. Soc. 17 (2004), no. 1, 197-227 

[11] I. Shestakov, U. Umirbaev, Poisson brackets and two-generated subalgebras of 
rings of polynomials. J. Amer. Math. Soc. 17 (2004), no. 1, 181-196 



